In late May 2024, Sekoia’s Threat Detection & Research (TDR) team received an insight from a partner about an ongoing phishing campaign leveraging HTML attachments that mimicked Microsoft 365 login pages. The phishing pages were able to relay some methods of multi-factor authentication (MFA), and made use of the Socket.IO JavaScript library to communicate via websockets with a backend server. At first, these characteristics look like the Tycoon 2FA phishing-as-a-service platform, but further inspection found that the campaign leveraged a previously unknown adversary-in-the-middle (AiTM) phishing kit, that Sekoia track as Mamba 2FA.
TDR illuminated the infrastructure hosting the phishing pages and developed detection rules to identify Entra ID accounts compromised via this kit. Retro-hunting uncovered that several Sekoia XDR customers have been targeted by campaigns leveraging Mamba 2FA in the previous months, suggesting a widespread threat. Finally, during this investigation we identified that the kit was sold as phishing-as-a-service (PhaaS).
On 26 June 2024, ANY.RUN published an analysis of a phishing campaign that matched the characteristics and infrastructure of Mamba 2FA. Since then, and likely in reaction to this publication, the phishing kit and associated infrastructure have undergone several significant changes.
As of October 2024, the URLs of Mamba 2FA phishing pages have the following structure:
https://{domain}/{m,n,o}/?{Base64 string}
For example:
https://tubope[.]com/n/?c3Y9bzM2NV8xX25vbSZyYW5kPVZFUnhiR1k9JnVpZD1VU0VSMjUwOTIwMjRVMDgwOTI1NTk=
The phishing page is displayed only if a valid Base64 parameter is present. If the parameter is absent or invalid, the page is blank.
However, the phishing kit also tries to detect automated web browsers and security sandboxes. In this case, the visitor is redirected to https://google.com/404/
.
Once decoded, the Base64 parameter follows the structure of a URL query string, with 3 field-value pairs. For example:
sv=o365_1_nom&rand=VERxbGY=&uid=USER25092024U08092559
sv
controls the appearance of the phishing pagerand
is a Base64-encoded pseudo-random string, whose function is unknownuid
is presumed to be a unique identifier for each customer of the PhaaS platformThe email address targeted by the phishing attempt can be added at the end of the URL, separated from the Base64 parameter by the string N0123N
, or by a #
(URL fragment). If present, this address will be automatically pre-filled in the login form. This email address is optionally Base64-encoded. The four examples below are equivalent:
https://tubope[.]com/n/[email protected]
https://tubope[.]com/n/?c3Y9bz...TI1NTk=N0123Nc2F0eWFuQG1pY3Jvc29mdC5jb20=
https://tubope[.]com/n/?c3Y9bz...TI1NTk=#[email protected]
https://tubope[.]com/n/?c3Y9bz...TI1NTk=#c2F0eWFuQG1pY3Jvc29mdC5jb20=
The appearance of the phishing page can be one of four types, depending on the sv
parameter:
sv=o365_#_one
imitates OneDrivesv=o365_#_nom
is a generic Microsoft sign-in pagesv=o365_#_sp
mimics a SharePoint Online secure linksv=o365_#_voice
purports to be a voice mail, then displays a generic Microsoft sign-in page after a click(where #
is a number, usually 1
in recent weeks, whose function is unknown)
The Mamba 2FA phishing platform features similar capabilities to the other popular AiTM phishing-as-a-service offerings of the cybercrime ecosystem:
The Mamba 2FA phishing pages are sold on Telegram on a subscription model. At the price of $250 for 30 days, customers are given access to a Telegram bot that allows them to generate phishing links and HTML attachments on demand.
The operator of the service maintains the infrastructure that hosts the phishing pages. The servers and domain names are not attributed to a specific customer but rather used as a shared pool for several or all customers.
Mamba 2FA has been advertised on Telegram since at least March 2024. However, according to data from public URL and file analysis sandboxes, the kit has been used in phishing campaigns since November 2023. The operator of the service had a long-standing presence on ICQ until this messaging platform shut down in June 2024, and this may be where Mamba 2FA was primarily sold before shifting to Telegram.
Since its inception, the Mamba 2FA service featured the ability for customers to generate HTML files meant to be distributed as email attachments in phishing campaigns, or hosted on object storage services such as Cloudflare R2 or IPFS.
The content of these HTML files has significantly evolved over time, as the service’s developer tries to evade defensive controls. As of October 2024, these files are often filled with benign content, surrounding a small snippet of JavaScript code that redirects to the actual phishing page. The content is made invisible via CSS, causing the document to appear blank until the redirection happens. The filler content used changes frequently and is usually taken from seemingly random websites. The URL of the phishing page is Base64-encoded in the script.
As of October 2024, the Mamba 2FA infrastructure consists of two layers: the link domains and the relay servers.
The link domains are used in the phishing page URLs described earlier in this article. The main role of these domains is to perform “antibot” detection. If the visitor is identified as a potential security solution or automated activity, they are redirected to a benign page (https://google.com/404/
). However, if not identified as a bot, the servers would display a minimal HTML document, which looks like this:
The sti
attribute of the <html>
tag contains the Mamba 2FA customer’s unique identifier (USER…
), Base64-encoded twice. The vic
attribute contains the target email address, if it was specified, optionally Base64-encoded.
The page doesn’t have any content (<body>
is empty). Instead, it loads two JavaScript files: the Socket.IO library and a template script.
The template script that is included in the page controls the appearance of the phishing page. As described earlier, Mamba 2FA currently offers four page templates. As of October 2024, the names of the scripts are:
jsdrive.js
: OneDrive template (sv=o365_#_one
)jsnom.js
: generic Microsoft sign-in page (sv=o365_#_nom
)jssp.js
: SharePoint template (sv=o365_#_sp
)jsv.js
: voice mail template (sv=o365_#_voice
)Once loaded, the template script injects into the page the HTML content required to render the phishing page. This script also contains the domain name of a relay server. Using the Socket.IO library, the template script establishes a bidirectional connection to the relay server.
Socket.IO is a JavaScript library that makes it easy for developers to establish bidirectional network communications between a web browser and a server. In modern browsers, this connection is established over WebSockets. If this protocol is not available the library falls back to HTTP long-polling.
From this point onward, every action performed by the visitor on the page (e.g. submitting an email address or a password) is communicated to the relay server. The relay server sends back commands that update the phishing page’s appearance (e.g. display an error message or an MFA challenge).
The template script of the phishing page can send three commands (events) to the relay server:
event | parameters |
---|---|
new-session | uid : Mamba 2FA customer unique identifieremail : victim’s email addressua : web browser User AgenttimeZone : web browser timezonebrowserLanguage : web browser language |
password_command | password : user’s password |
otp_command | phish_otp : user’s MFA input |
The relay server sends commands to update the phishing page in response to the user’s actions:
event | signification |
---|---|
s2c | general page updates |
s2c_cookies | cookies captured, redirect to endUrl |
s2c_restart | timeout or error, reload page |
The s2c
event has a large list of parameters that are used at different stages of the phishing session:
phish_state
: tracks the current stage of the phishing session. Values include RQ_EMAIL
, RQ_PASSWORD
, RQ_OTP_NOPASS_APP
, RQ_OTP_APP
, RQ_OTP_APP_CODE
, RQ_OTP_PHONE
.email_type
: values include ADFS and O365bannerLogo
, backgroundImage
, boilerText
: organisation’s custom login page brandingemail_exist
, CORRECT_PASSWORD
, OTP_TYPE
, CORRECT_OTP
endUrl
: URL where the victim is redirected once the cookies have been capturedphish_id
and phish_groupid
: internal parameters, unknown functionThe relay servers host the core adversary-in-the-middle functionality of Mamba 2FA. Using the credentials received from the phishing page via Socket.IO, they perform requests to the Microsoft authentication servers to sign in as the victim.
The link domains, being used in the URLs of the phishing pages, are easily visible to the victims and get usually reported and blocked by security solutions after a few days of use. For this reason, the operator of Mamba 2FA maintains around a dozen link domains at any time and replaces them about every week.
On the other hand, the domain names used for the relay servers are less exposed, and it is common for them to last several weeks.
Until late September 2024, the relay servers were connecting directly to the Entra ID servers when performing authentications with victim’s credentials. As a result, the IP addresses of the relay servers were exposed in the authentication logs of the targeted tenants. However, starting October 2024, the developers of Mamba 2FA implemented an additional indirection layer, utilising proxy servers sourced from a commercial provider (IPRoyal). In consequence, the IP addresses appearing in authentication logs since October 2024 are those of the datacenter proxies, not the relay servers. (These proxy servers are not pictured on the architecture schema above).
If you are a SOC or CERT, we can share additional detection opportunities with you under TLP:GREEN. Please contact tdr [ at ] sekoia [ dot ] io.
Since October 2024, Entra/M365 sign-ins from IP addresses of IPRoyal proxies used by Mamba 2FA (non-exhaustive list):
23.26.35[.]67
23.26.206[.]99
45.86.54[.]206
45.9.153[.]102
Between August and October 2024, Entra/M365 sign-ins from IP addresses of Mamba 2FA relay servers:
2607:5500:3000:1cab::2 (since 2024-08-28)
2607:5500:3000:7bc::2 (since 2024-09-10)
2607:5500:3000:312::2 (since 2024-09-24)
2607:5500:3000:7a5::2 (2024-09-20 – 2024-09-26)
2607:5500:3000:a8c::2 (2024-09-06 – 2024-09-22)
2607:5500:3000:fea::2 (2024-07-03 – 2024-09-07)
2607:5500:3000:b16::2 (2024-07-03 – 2024-08-30)
The following IP addresses were used previously, between November 2023 and July 2024 (non-exhaustive list):
45.61.130[.]11
45.61.169[.]4
172.86.64[.]212
172.86.96[.]84
172.86.96[.]128
172.86.97[.]78
172.86.97[.]165
172.86.104[.]33
172.86.104[.]64
172.86.104[.]178
172.86.105[.]59
172.86.105[.]72
172.86.106[.]94
Outgoing connection to domains of Mamba 2FA relay servers:
ccokies1cakes[.]com (since 2024-09-23) ccokies2mangoes[.]com (since 2024-09-23) ccokies3tomatoes[.]com (since 2024-09-23) m1tis-apicookies[.]com (since 2024-08-12) m2fes-apicookies[.]com (since 2024-08-12) m3mas-apicookies[.]com (since 2024-09-10) winss0conect[.]click (2024-07-22 – 2024-08-12) winstnet80nss[.]cfd (2024-07-22 – 2024-08-12) tenetur[.]top (2024-06-26 – 2024-07-22) tenetur[.]xyz (2024-06-26 – 2024-07-22)
The following domains were used previously, between November 2023 and July 2024:
hypexfinancial[.]com
voltampereactive[.]com
planchereserver[.]com
thirdmandomavis[.]com
fourthmanservice[.]com
sithchibb[.]com
copelustration[.]xyz
copefood[.]xyz
seven-oranges[.]com
onemanforest[.]com
twomancake[.]com
threemanshop[.]com
fourmanchurch[.]com
fivemanchool[.]com
sixmanteams[.]com
sevenmanjungle[.]com
88mansession[.]com
fiveradio-newbam[.]com
nine9manforest[.]com
10decadesmen[.]com
11cyclesforest[.]com
1messisnfarm[.]com
2moniunesson[.]com
3alphabetjay[.]com
4sessionmoon[.]com
5poleanalhy[.]com
6treesmangle[.]com
7motionmansa[.]com
8boomandool[.]com
9cantronnfit[.]com
10trioneyue8ss[.]com
11beamgools[.]com
Feel free to read other Sekoia.io TDR (Threat Detection & Research) analysis here :